Web Security in Network Security NS7

1,830 views

Published on

Published in: Technology, Economy & Finance
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,830
On SlideShare
0
From Embeds
0
Number of Embeds
43
Actions
Shares
0
Downloads
116
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Web Security in Network Security NS7

  1. 1. Chapter 7 WEB Security Henric Johnson Blekinge Institute of Technology, Sweden http://www.its.bth.se/staff/hjo/ [email_address]
  2. 2. Outline <ul><li>Web Security Considerations </li></ul><ul><li>Secure Socket Layer (SSL) and Transport Layer Security (TLS) </li></ul><ul><li>Secure Electronic Transaction (SET) </li></ul><ul><li>Recommended Reading and WEB Sites </li></ul>
  3. 3. Web Security Considerations <ul><li>The WEB is very visible. </li></ul><ul><li>Complex software hide many security flaws. </li></ul><ul><li>Web servers are easy to configure and manage. </li></ul><ul><li>Users are not aware of the risks. </li></ul>
  4. 4. Security facilities in the TCP/IP protocol stack
  5. 5. SSL and TLS <ul><li>SSL was originated by Netscape </li></ul><ul><li>TLS working group was formed within IETF </li></ul><ul><li>First version of TLS can be viewed as an SSLv3.1 </li></ul>
  6. 6. SSL Architecture
  7. 7. SSL Record Protocol Operation
  8. 8. SSL Record Format
  9. 9. SSL Record Protocol Payload
  10. 10. Handshake Protocol <ul><li>The most complex part of SSL. </li></ul><ul><li>Allows the server and client to authenticate each other. </li></ul><ul><li>Negotiate encryption, MAC algorithm and cryptographic keys. </li></ul><ul><li>Used before any application data are transmitted. </li></ul>
  11. 11. Handshake Protocol Action
  12. 12. Transport Layer Security <ul><li>The same record format as the SSL record format. </li></ul><ul><li>Defined in RFC 2246. </li></ul><ul><li>Similar to SSLv3. </li></ul><ul><li>Differences in the: </li></ul><ul><ul><li>version number </li></ul></ul><ul><ul><li>message authentication code </li></ul></ul><ul><ul><li>pseudorandom function </li></ul></ul><ul><ul><li>alert codes </li></ul></ul><ul><ul><li>cipher suites </li></ul></ul><ul><ul><li>client certificate types </li></ul></ul><ul><ul><li>certificate_verify and finished message </li></ul></ul><ul><ul><li>cryptographic computations </li></ul></ul><ul><ul><li>padding </li></ul></ul>
  13. 13. Secure Electronic Transactions <ul><li>An open encryption and security specification. </li></ul><ul><li>Protect credit card transaction on the Internet . </li></ul><ul><li>Companies involved: </li></ul><ul><ul><li>MasterCard, Visa, IBM, Microsoft, Netscape, RSA, Terisa and Verisign </li></ul></ul><ul><li>Not a payment system. </li></ul><ul><li>Set of security protocols and formats. </li></ul>
  14. 14. SET Services <ul><li>Provides a secure communication channel in a transaction. </li></ul><ul><li>Provides tust by the use of X.509v3 digital certificates. </li></ul><ul><li>Ensures privacy. </li></ul>
  15. 15. SET Overview <ul><li>Key Features of SET: </li></ul><ul><ul><li>Confidentiality of information </li></ul></ul><ul><ul><li>Integrity of data </li></ul></ul><ul><ul><li>Cardholder account authentication </li></ul></ul><ul><ul><li>Merchant authentication </li></ul></ul>
  16. 16. SET Participants
  17. 17. Sequence of events for transactions <ul><li>The customer opens an account. </li></ul><ul><li>The customer receives a certificate. </li></ul><ul><li>Merchants have their own certificates. </li></ul><ul><li>The customer places an order. </li></ul><ul><li>The merchant is verified. </li></ul><ul><li>The order and payment are sent. </li></ul><ul><li>The merchant request payment authorization. </li></ul><ul><li>The merchant confirm the order. </li></ul><ul><li>The merchant provides the goods or service. </li></ul><ul><li>The merchant requests payments. </li></ul>
  18. 18. Dual Signature
  19. 19. Payment processing <ul><li>Cardholder sends Purchase Request </li></ul>
  20. 20. Payment processing Merchant Verifies Customer Purchase Request
  21. 21. Payment processing <ul><li>Payment Authorization: </li></ul><ul><ul><li>Authorization Request </li></ul></ul><ul><ul><li>Authorization Response </li></ul></ul><ul><li>Payment Capture: </li></ul><ul><ul><li>Capture Request </li></ul></ul><ul><ul><li>Capture Response </li></ul></ul>
  22. 22. Recommended Reading and WEB sites <ul><li>Drew, G. Using SET for Secure Electronic Commerce . Prentice Hall, 1999 </li></ul><ul><li>Garfinkel, S., and Spafford, G. Web Security & Commerce. O’Reilly and Associates, 1997 </li></ul><ul><li>MasterCard SET site </li></ul><ul><li>Visa Electronic Commerce Site </li></ul><ul><li>SETCo (documents and glossary of terms) </li></ul>

×